I have Microsoft Graph setup within the local application and the Azure Portal. I can sign in with my own account successfully but when another employee attempts to sign in I receive a successful authentication and access token but when InitializeGraphClientAsync() is called Microsoft.Graph.ServiceException is thrown with the following…
Exception thrown: 'Microsoft.Graph.ServiceException' in System.Private.CoreLib.dll
Failed to initialized graph client.
Accounts in the msal cache: 1.
See exception message for details: Code: ErrorAccessDenied
Message: Access is denied. Check credentials and try again.
Sign in:
public async Task<string> SignIn()
{
// First, attempt silent sign in
// If the user's information is already in the app's cache,
// they won't have to sign in again.
var message = "";
try
{
var accounts = await PCA.GetAccountsAsync();
var silentAuthResult = await PCA.AcquireTokenSilent(Scopes, accounts.FirstOrDefault()).ExecuteAsync();
Debug.WriteLine("User already signed in.");
Debug.WriteLine($"Successful silent authentication for: {silentAuthResult.Account.Username}");
Debug.WriteLine($"Access token: {silentAuthResult.AccessToken}");
message = $"Successful silent authentication for: {silentAuthResult.Account.Username}";
}
catch (MsalUiRequiredException msalEx)
{
// This exception is thrown when an interactive sign-in is required.
Debug.WriteLine("Silent token request failed, user needs to sign-in: " + msalEx.Message);
message = "Silent token request failed, user needs to sign-in: " + msalEx.Message;
// Prompt the user to sign-in
var interactiveRequest = PCA.AcquireTokenInteractive(Scopes);
if (AuthUIParent != null)
{
interactiveRequest = interactiveRequest
.WithParentActivityOrWindow(AuthUIParent);
}
var interactiveAuthResult = await interactiveRequest.ExecuteAsync();
Debug.WriteLine($"Successful interactive authentication for: {interactiveAuthResult.Account.Username}");
Debug.WriteLine($"Access token: {interactiveAuthResult.AccessToken}");
message = $"Successful interactive authentication for: {interactiveAuthResult.Account.Username}";
}
catch (Exception ex)
{
Debug.WriteLine("Authentication failed. See exception messsage for more details: " + ex.Message);
message = "Authentication failed. See exception messsage for more details: " + ex.Message;
}
await InitializeGraphClientAsync();
return message;
}
Initialize
private async Task InitializeGraphClientAsync()
{
var currentAccounts = await PCA.GetAccountsAsync();
try
{
if (currentAccounts.Count() > 0)
{
// Initialize Graph client
GraphClient = new GraphServiceClient(new DelegateAuthenticationProvider(
async (requestMessage) =>
{
var result = await PCA.AcquireTokenSilent(Scopes, currentAccounts.FirstOrDefault())
.ExecuteAsync();
requestMessage.Headers.Authorization =
new AuthenticationHeaderValue("Bearer", result.AccessToken);
}));
await GetUserInfo();
IsSignedIn = true;
}
else
{
IsSignedIn = false;
}
}
catch (Exception ex)
{
Debug.WriteLine("Failed to initialized graph client.");
Debug.WriteLine($"Accounts in the msal cache: {currentAccounts.Count()}.");
Debug.WriteLine($"See exception message for details: {ex.Message}");
await SignOut();
}
}
The code was lifted straight out of one of Microsoft’s tutorials.
Azure:
I have it configured as Accounts in any organizational directory (Any Azure AD directory - Multitenant)
2
Answers
You can try checking and following the below workarounds to resolve the issue:
References :
Resolve Microsoft Graph authorization errors ,
Microsoft Graph permissions reference
It appears I must have signed in using an earlier build that had increased permissions. Checking the token given for my account vs another employee showed there were less permissions. Adding the necessary permissions eliminated the error and solved the problem.